Security practices.
How Orbyt Intelligence handles security today: Bearer-token authentication with restricted per-engine scopes, AES-256 encryption at rest via Supabase, TLS 1.3 in transit via Vercel, SHA-256 key hashing, audit logging on administrative actions. Honest about what isn't yet certified.
Orbyt is not SOC 2 certified yet. The audit engagement isn't scheduled. There is no cash bug-bounty program. There is no signed DPA for self-serve customers. The honest position: Orbyt is a solo-founder product that runs on infrastructure (Vercel, Supabase, Stripe) which is itself SOC 2 Type 2 certified, and follows reasonable security practices everywhere we control the code. We'll update this page the moment formal commitments are real. Enterprise prospects can reach security@orbytjobs.ai to discuss what we can document today vs. what's in flight.
Authentication.
Orbyt Intelligence authenticates every request via a Bearer token in the Authorization header. API keys are 32 characters of cryptographically random url-safe data, prefixed with intelligence_ for easy identification in logs and source code.
Keys are generated in the customer dashboard and shown to the user once: Orbyt stores only a SHA-256 hash, never plaintext. The hash lookup is indexed for fast middleware resolution; revoked keys are removed from the index instantly. Revocation propagates to the rate-limit cache within 60 seconds.
Restricted keys with per-engine scopes limit blast radius. A key can be granted only the scopes it needs:
intelligence:read: substrate (AI Role Taxonomy)skills:read: AI Skill Premiums + Half-Lifemarket:read: AI Hiring Velocitycompensation:read: AI Comp by Stagecompany_data:read: AI Company Signals (Scale tier)intelligence:lineage: /lineage provenance endpointintelligence:write: POST endpoints (Enterprise)
If a key is leaked, the blast radius is limited to the scopes that key was granted. Production keys should always be created with the minimum scope set required for the integration.
Encryption.
The Stripe webhook signature is verified using HMAC-SHA256 with the signing secret stored in env vars. Failed signature verifications are logged but never crash the webhook handler: they return 400 to Stripe so the event is retried. Webhook replay attacks are prevented by a 5-minute timestamp tolerance window built into the signature scheme.
Operational practices.
What we do today: none of these are formal certifications, just engineering discipline:
- Logical access: production database access requires MFA. Supabase service-role keys live in encrypted env vars, not source control.
- Audit logging: administrative actions (key issuance, subscription change, data export) are logged to the
audit_logtable with actor, action, resource, and timestamp. - Change management: all production code is reviewed before merge. Deployments are automated and traceable via git SHA to PR to author. Rollback is a one-command revert.
- Backup + recovery: Supabase manages daily backups with point-in-time recovery for the trailing 7 days.
- Vendor stack: primary providers (Vercel, Supabase, Stripe, Resend, Upstash) are SOC 2 Type 2 certified themselves. Customer data inherits their physical and operational security.
These are practices, not certifications. Formal SOC 2 audit will follow when customer scale justifies the investment.
Responsible disclosure.
Orbyt does not run a cash bug-bounty program today. We do welcome and take seriously every vulnerability report from security researchers. Send findings to security@orbytjobs.ai. We commit to:
- Acknowledging reports within a few business days
- Investigating and confirming or refuting promptly
- Crediting the researcher in any postmortem or public write-up (if requested)
- A reasonable disclosure window: we don't play games to delay fixes
We'll launch a paid bounty program when scale justifies it. Until then, researcher credit and a sincere thank-you are what we can offer.
Out of scope: denial-of-service, social-engineering Orbyt staff, physical attacks, anything requiring access to a customer account other than your own.
Privacy and data handling.
Orbyt's salary dataset is aggregated and statistically anonymized: no individual worker is identifiable from the published data. This is the most important fact about Orbyt's privacy posture, because it limits the scope of personal-information concerns to customer account data (name, email, payment info, operational logs), not the salary dataset itself.
For customer account data, we follow industry-standard practices:
- Access, correction, and deletion requests honored within a reasonable timeframe
- No selling of personal information to third parties
- Sub-processors (Vercel, Supabase, Stripe, Resend, Upstash) all SOC 2 Type 2 certified
- U.S.-based primary infrastructure; EU-region nodes for EU customers when available
DPA + SCCs: Orbyt does not have a standard published DPA today. Enterprise prospects who need a Data Processing Agreement, Standard Contractual Clauses for international transfers, or a signed BAA can email legal@orbytjobs.ai and we'll work through deal-specific terms. We won't commit to a 24-hour breach notification window or other specific contractual SLAs in this page; those go in a signed agreement when we can defend them.
Privacy requests can also be sent to privacy@orbytjobs.ai and we'll respond in good faith.
Contact.
See also.
Last updated May 2026. This page describes Orbyt's current security practices, not contractual commitments. When Orbyt obtains formal certifications (SOC 2, ISO 27001, etc.) this page will be updated to reflect them. Email security@orbytjobs.ai with questions.